POKÉMON NO! Game or Security Nightmare?
Want to chase virtual Pokémon characters into high-rises, subways, and homes? No sweat. Just grant the game developer, Niantic, access to your location and email address and you’re ready to go. That’s where the new game, downloaded by over forty million people worldwide in its first week of launch, rubbed privacy activists the wrong way.
Pokémon GO is a location-based augmented reality mobile game. It’s kind of like a virtual gaming lens for your field of vision. The game uses the GPS and camera capabilities on a player’s mobile device to overlay a virtual Pokémon character into the player’s actual field of view. The player can then “capture” the Pokémon character by flicking a Poké ball at it via the mobile screen. Sound silly? Over twenty million people are playing this game on their phone every day, not to mention the use of other apps that use similar information. After the wildly successful launch of the game in the U.S., Niantic recently launched Pokémon GO! in Japan with McDonald’s serving as a sponsor.
The game has also stirred legal controversy, particularly over property rights, as players unabashedly traipse into cemeteries, museums, and private property in hot pursuit of virtual Pokémon. The Holocaust Museum experienced such an influx of Pokémon hunters that it declared itself a Pokémon-free zone. Despite the buzz and controversy over attractive nuisance, trespass, and other liability risks, a bigger question awaits: What information is the game accessing and how it is being utilized and secured?
When the game first launched, users had to grant Niantic “full account access” for their Google accounts. In theory, this would allow Niantic to access a player’s email account (meaning read or send emails), his Google drive (including the ability to delete documents) and Google photos. Niantic quickly modified the access granted to a “fixed Google scope,” merely the user’s ID and email address. To function, the game has to access your location data, and many users also choose to give it access to their camera. The game can literally see what twenty million people who are playing it every day see.
Imagine if it was hacked. The game could provide access to the locations and movements of millions, and might further provide access to images from their cameras. This “creepy” factor—which we mentioned in our recent “SmartLens” article—was one major element preventing Google Glass from achieving social acceptance and market adoption. Apparently, it doesn’t bother people anymore that there are millions of devices roaming the streets every day capable of streaming live location data and video footage to anyone smart enough to access it. Remember when Batman used all the cell phones in Gotham to generate a map of Gotham - complete with the locations of each and every occupant, each one identifiable by the sound of her voice? The type of knowledge that might be gained from so many “eyes on the ground” raises huge data security concerns.
Imagine if a third party compromised Niantic’s security and published data about its players’ locations. Not only would your home address, workplace, and name be connected for all to see, so would many of your other daily habits. Anyone who wanted to could track you down at your daily gym visit, your regular lunchtime haunts, the bar you visit every Friday night, etc. Your phone would have been transformed into the perfect stalker tool. While this is just one—quite frightening—consideration, we are predicting many forms of litigation as a result of this infectious game and others like it.
Do you think Pokémon GO! is too risky a game? What other legal ramifications or potential litigation do you see stemming from this worldwide, go-anywhere activity?